EP2704389B1 - Method, device and system for protecting data security in cloud - Google Patents

Method, device and system for protecting data security in cloud Download PDF

Info

Publication number
EP2704389B1
EP2704389B1 EP11866813.6A EP11866813A EP2704389B1 EP 2704389 B1 EP2704389 B1 EP 2704389B1 EP 11866813 A EP11866813 A EP 11866813A EP 2704389 B1 EP2704389 B1 EP 2704389B1
Authority
EP
European Patent Office
Prior art keywords
encrypted data
terminal
key
data
management center
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP11866813.6A
Other languages
German (de)
English (en)
French (fr)
Other versions
EP2704389A4 (en
EP2704389A1 (en
Inventor
Jingbin ZHANG
Chengdong He
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to EP16205683.2A priority Critical patent/EP3229436B1/en
Publication of EP2704389A1 publication Critical patent/EP2704389A1/en
Publication of EP2704389A4 publication Critical patent/EP2704389A4/en
Application granted granted Critical
Publication of EP2704389B1 publication Critical patent/EP2704389B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0471Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying encryption by an intermediary, e.g. receiving clear information at the intermediary and encrypting the received information at the intermediary before forwarding

Definitions

  • the present invention relates to the field of IT technologies, and in particular to a method, an apparatus, and a system for protecting cloud data security.
  • cloud data In the cloud computing field, user data stored at a cloud end (a cloud server) is called cloud data.
  • a user loses direct control of data when storing the data at the cloud end and data security cannot be ensured.
  • An important measure to protect data security is to encrypt the data.
  • terminal A encrypts data and uploads the encrypted data to a cloud server.
  • Another terminal such as terminal B, requests a key from terminal A after loading the encrypted data from the cloud server and after obtaining the key, uses the key to decrypt the encrypted data.
  • the prior art has the following disadvantage:
  • another terminal such as terminal B, may request to obtain a key that is used by terminal A to encrypt data.
  • this method is used, if the key is not properly protected, it is possible that key leakage occurs, so that data sharing is not secure.
  • the present invention provides a method, an apparatus, and a system for protecting cloud data security, so that a key of cloud data may not be leaked during a process where another terminal acquires the cloud data.
  • a method for protecting cloud data security includes in its first implementation form:
  • the method for protecting cloud data security includes in its second implementation form:
  • a key management center includes:
  • a terminal includes:
  • a system for protecting cloud data security includes a key management center according to above aspect, a first terminal, and a second terminal, where:
  • a key management center encrypts original data M and stores, in the key management center, a key for encrypting the original data M; and when receiving a request for decrypting data or a request for downloading data sent by a second terminal, the key management center does not directly provide an encryption key of encrypted data C1 stored in a cloud server for the second terminal but sends encrypted data C2 that is obtained by processing the encrypted data C1 to the second terminal.
  • the method may not only ensure that the second terminal can obtain the original data M finally according to a key owned by the second terminal, but also ensure that a key of the encrypted data C1 stored in the cloud server may not be leaked during a process where the second terminal acquires cloud data, thereby reducing a risk of key leakage and enhancing security of data sharing.
  • FIG. 1 is a diagram of a networking architecture for protecting cloud data security according to an embodiment of the present invention. It can be known from FIG. 1 that, a key management center locates at a user end. When a first terminal uploads data, the key management center is responsible for encrypting the data and uploading the encrypted data to a cloud server for storage; when the data is downloaded, the key management center is responsible for processing the obtained encrypted data and sending the processed data to a second terminal, so that the second terminal can decrypt the processed data according to a key owned by the second terminal, so as to obtain original data.
  • a manner for forming the key management center includes but is not limited to any one of the following:
  • the key management center is formed by one or more terminals.
  • the key management center is formed by one or more servers and one or more terminals.
  • FIG. 2 shows a method for protecting cloud data security under the networking architecture shown in FIG. 1 according to an embodiment of the present invention.
  • the method includes:
  • the key management center encrypts the original data M according to a key K generated by the key management center, so as to obtain encrypted data C1.
  • the key K is generated and stored by the key management center and the key management center does not send the key K to any terminal, including the first terminal, thereby ensuring that the key K of the encrypted data is secure.
  • S203 The key management center uploads the encrypted data C1 to a cloud server for storage.
  • the key management center When receiving a request for decrypting data or a request for downloading data sent by a second terminal, the key management center obtains encrypted data C2 and sends the encrypted data C2 to the second terminal, so that the second terminal decrypts the encrypted data C2 according to a key owned by the second terminal, so as to obtain the original data M, where the encrypted data C2 is obtained by processing the encrypted data C 1.
  • a manner for the key management center to obtain the encrypted data C2 provided in this embodiment of the present invention may include any one of the following manners:
  • Manner 2 When receiving a request for decrypting second intermediate encrypted data C1" sent by the second terminal, the key management center decrypts the second intermediate encrypted data C1" to obtain the encrypted data C2, where the second intermediate encrypted data C1" is obtained after the second terminal encrypts the encrypted data C 1.
  • Manner 3 When receiving a request for decrypting the encrypted data C1, a request for downloading the original data M, or a request for downloading the encrypted data C1 sent by the second terminal, the key management center obtains the encrypted data C1, firstly decrypts the encrypted data C1 according to the key K to obtain the original data M, and then encrypts the original data M to obtain the encrypted data C2.
  • original data in this embodiment of the present invention is named as M
  • encrypted data is named as C1 and C2
  • a key is named as K.
  • the foregoing names are exemplary names made for clear description in this embodiment of the present invention. Those skilled in the art may definitely name the original data, the encrypted data, and the key in other forms. Therefore, a naming manner used in this embodiment does not impose a limitation on the present invention and so does not in the following embodiments.
  • a key management center encrypts original data M and stores, in the key management center, a key for encrypting the original data M; and when receiving a request for decrypting data or a request for downloading data sent by a second terminal, the key management center does not directly provide an encryption key of encrypted data C1 stored in a cloud server for the second terminal but sends encrypted data C2 that is obtained by processing the encrypted data C1 to the second terminal.
  • the method may not only ensure that the second terminal can obtain the original data M finally according to a key owned by the second terminal, but also ensure that a key of the encrypted data C1 stored in the cloud server may not be leaked during a process where the second terminal acquires cloud data, thereby reducing a risk of key leakage and enhancing security of data sharing.
  • FIG. 3 shows another method for protecting cloud data security under the networking architecture shown in FIG. 1 according to an embodiment of the present invention.
  • the method includes:
  • the second terminal may firstly acquire encrypted data C1 from the cloud server and then request the key management center to decrypt the data, or may directly request downloading of original data M or encrypted data C1 from the key management center.
  • a specific implementation manner may include any one of the following:
  • Manner 2 The second terminal sends a request for downloading the original data M or a request for downloading the encrypted data C1 to the key management center.
  • Manner 3 After acquiring the encrypted data C 1 from the cloud server, the second terminal encrypts the encrypted data to obtain second intermediate encrypted data C1" and then sends a request for decrypting the second intermediate encrypted data C" to the key management center.
  • the second terminal receives encrypted data C2 sent by the key management center, where the encrypted data C2 is obtained by processing the encrypted data C1, the encrypted data C 1 is data stored in the cloud server, and the encrypted data C1 is obtained after the key management center encrypts, according to a key K generated by the key management center, the original data M sent by the first terminal.
  • a specific implementation manner in this embodiment may be as follows: If the key management center receives the request for decrypting the encrypted data C1, the request for downloading the original data M, or the request for downloading the encrypted data C1 sent by the second terminal, the key management center obtains the encrypted data C1 according to the received request, and performs decryption after encryption processing or performs encryption after decryption processing on the encrypted data C1, so as to obtain the encrypted data C2; or if the key management center receives the request for decrypting the second intermediate encrypted data C1" sent by the second terminal, the key management center decrypts the second intermediate encrypted data C1", so as to obtain the encrypted data C2.
  • the second terminal decrypts the encrypted data C2 according to a key owned by the second terminal, so as to obtain the original data M.
  • a second terminal does not directly acquire an encryption key of encrypted data C1 stored in a cloud server but obtains encrypted data C2 that is obtained by processing the encrypted data C1.
  • the method may not only ensure that the second terminal can decrypt the encrypted data C2 according to a key owned by the second terminal, so as to obtain original data M; but also ensure that a key of the encrypted data C1 stored in the cloud server may not be leaked during a process where the second terminal acquires encrypted data, thereby reducing a risk of key leakage and enhancing security of data sharing.
  • FIG. 4 is an implementation flowchart of a third method embodiment under the networking architecture shown in FIG. 1 according to an embodiment of the present invention. This embodiment includes:
  • the key K is generated and stored by the key management center and the key management center does not send the key K to any terminal, including the first terminal, thereby ensuring that the key of the encrypted data is secure.
  • the exchangeable encryption algorithm has the following property:
  • N N N * N ⁇ 1 * ... * 2 * 1 different combinations exist, and results of encryption according to each combination are the same.
  • a key for decrypting an encryption result is the same as a key for encryption.
  • the key management center uploads the encrypted data C1 to a cloud server for storage.
  • S405 The second terminal receives the encrypted data C1 returned by the cloud server.
  • the second terminal may also acquire the encrypted data C1 by using the following manner:
  • the second terminal sends a request for decrypting data to the key management center, where in this embodiment, the request for decrypting data is a request for decrypting the encrypted data C 1, and the key management center obtains the encrypted data C 1.
  • a manner for the key management center to obtain the encrypted data C1 provided in this embodiment of the present invention may include any one of the following manners:
  • Manner 2 The request for decrypting the encrypted data C1 does not carry the encrypted data C1, and the key management center receives the request for decrypting the encrypted data C1 sent by the second terminal, and sends an instruction for acquiring the encrypted data C1 to the second terminal, so as to instruct the second terminal to send the encrypted data C1 to the key management center.
  • the key management center may also make a request for acquiring the encrypted data C1 to the cloud server, which is not described herein in further detail in this embodiment.
  • step S407 The key management center authenticates the second terminal, and if the authentication succeeds, performs step S408.
  • the key management center negotiates with the second terminal through a key exchange algorithm, so as to obtain a key Ki.
  • the exchangeable encryption algorithm for encrypting the encrypted data C1 to obtain the first intermediate encrypted data C1' is negotiated with the second terminal in advance.
  • S411 The key management center sends the encrypted data C2 to the second terminal.
  • S412 The second terminal decrypts the encrypted data C2 according to a key owned by the second terminal, so as to obtain the original data M, where in this embodiment, the second terminal uses the exchangeable encryption algorithm to decrypt the encrypted data C2 according to the key Ki owned by the second terminal, so as to obtain the original data M.
  • a key management center encrypts original data M and stores, in the key management center, a key for encrypting the original data M; and when receiving a request for decrypting data or a request for downloading data sent by a second terminal, the key management center does not directly provide an encryption key of encrypted data C1 stored in a cloud server for the second terminal but sends encrypted data C2 that is obtained by processing the encrypted data C1 to the second terminal.
  • the method may not only ensure that the second terminal can obtain the original data M finally according to a key owned by the second terminal, but also ensure that a key of the encrypted data C1 stored in the cloud server may not be leaked during a process where the second terminal acquires cloud data, thereby reducing a risk of key leakage and enhancing security of data sharing.
  • the key management center firstly encrypts the obtained encrypted data C1 and then decrypts an encryption result according to a property of an exchangeable encryption algorithm. In this way, data is encrypted during an entire transmission and processing process, thereby enhancing security of data sharing.
  • FIG. 5 is an implementation flowchart of a fourth method embodiment under the networking architecture shown in FIG. 1 according to an embodiment of the present invention. This embodiment includes:
  • the key K is generated and stored by the key management center and the key management center does not send the key K to any terminal, including the first terminal, thereby ensuring that the key of the encrypted data is secure.
  • S503 The key management center uploads the encrypted data C1 to a cloud server for storage.
  • the second terminal When a second terminal needs to acquire the original data M, the second terminal sends a request for downloading data to the key management center, where in this embodiment, the request for downloading data includes a request for downloading the original data M or a request for downloading the encrypted data C 1.
  • step S505 The key management center authenticates the second terminal, and if the authentication succeeds, performs step S506.
  • S506 The key management center forwards the request for downloading data to the cloud server.
  • the key management center may also constructs a new downloading request according to the request for downloading data sent by the second terminal, and sends the new downloading request to the cloud server.
  • the key management center receives the encrypted data C1 returned by the cloud server, so as to obtain the encrypted data C 1.
  • the key management center negotiates with the second terminal through a key exchange algorithm, so as to obtain a key Ki.
  • step S508 may also be performed before step S505.
  • the exchangeable encryption algorithm for encrypting the encrypted data C1 to obtain the first intermediate encrypted data C1' is negotiated with the second terminal in advance.
  • S511 The key management center sends the encrypted data C2 to the second terminal.
  • S512 The second terminal decrypts the encrypted data C2 according to a key owned by the second terminal, so as to obtain the original data M, where in this embodiment, the second terminal uses the exchangeable encryption algorithm to decrypt the encrypted data C2 according to the key Ki owned by the second terminal, so as to obtain the original data M.
  • a key management center encrypts original data M and stores, in the key management center, a key for encrypting the original data M; and when receiving a request for decrypting data or a request for downloading data sent by a second terminal, the key management center does not directly provide an encryption key of encrypted data C1 stored in a cloud server for the second terminal but sends encrypted data C2 that is obtained by processing the encrypted data C1 to the second terminal.
  • the method may not only ensure that the second terminal can obtain the original data M finally according to a key owned by the second terminal, but also ensure that a key of the encrypted data C1 stored in the cloud server may not be leaked during a process where the second terminal acquires cloud data, thereby reducing a risk of key leakage and enhancing security of data sharing.
  • the key management center firstly encrypts the obtained encrypted data C1 and then decrypts an encryption result according to a property of an exchangeable encryption algorithm. In this way, data is encrypted during an entire transmission and processing process, thereby enhancing security of data sharing.
  • FIG. 6 is an implementation flowchart of a fifth method embodiment under the networking architecture shown in FIG. 1 according to an embodiment of the present invention. This embodiment includes:
  • the key K is generated and stored by the key management center and the key management center does not send the key K to any terminal, including the first terminal, thereby ensuring that the key of the encrypted data is secure.
  • the key management center uploads the encrypted data C1 to a cloud server for storage.
  • S605 The second terminal receives the encrypted data C1 returned by the cloud server, so as to obtain the encrypted data C 1.
  • the second terminal may also acquire the encrypted data C1 by using the following manner:
  • S606 The second terminal generates a key Kb and stores the key Kb.
  • the second terminal uses the exchangeable encryption algorithm to encrypt the encrypted data C1 according to the key Kb, so as to obtain second intermediate encrypted data C1".
  • the exchangeable encryption algorithm for encrypting the encrypted data C1 to obtain the second intermediate encrypted data C1" is negotiated with the second terminal in advance.
  • the second terminal sends a request for decrypting data to the key management center, where in this embodiment, the request for decrypting data is a request for decrypting the second intermediate encrypted data C1", and the key management center obtains the second intermediate encrypted data C1".
  • a method for the key management center to obtain the second intermediate encrypted data C1" provided in this embodiment of the present invention may include any one of the following manners:
  • Manner 2 The request for decrypting the second intermediate encrypted data C1" does not carry the second intermediate encrypted data C1", and the key management center receives the request for decrypting the second intermediate encrypted data C1" sent by the second terminal, and sends an instruction for acquiring the second intermediate encrypted data C1" to the second terminal, so as to instruct the second terminal to send the second intermediate encrypted data C1" to the key management center.
  • step S609 The key management center authenticates the second terminal, and if the authentication succeeds, performs step S610.
  • the key management center sends the encrypted data C2 to the second terminal.
  • the second terminal decrypts the encrypted data C2 according to a key owned by the second terminal, so as to obtain the original data M, where in this embodiment, the second terminal uses the exchangeable encryption algorithm to decrypt the encrypted data C2 according to the key Kb owned by the second terminal, so as to obtain the original data M.
  • a key management center encrypts original data M and stores, in the key management center, a key for encrypting the original data M; and when receiving a request for decrypting data or a request for downloading data sent by a second terminal, the key management center does not directly provide an encryption key of encrypted data C1 stored in a cloud server for the second terminal but sends encrypted data C2 that is obtained by processing the encrypted data C1 to the second terminal.
  • the method may not only ensure that the second terminal can obtain the original data M finally according to a key owned by the second terminal, but also ensure that a key of the encrypted data C1 stored in the cloud server may not be leaked during a process where the second terminal acquires cloud data, thereby reducing a risk of key leakage and enhancing security of data sharing.
  • the second terminal after receiving the encrypted data C1 stored in the cloud server, the second terminal encrypts the encrypted data C1 according to a key Kb generated by the second terminal and sends the encrypted data C1' that is obtained after encryption to the key management center, so that data is still encrypted after the key management center decrypts the encrypted data C1'. In this way, data is encrypted during an entire transmission and processing process, thereby enhancing security of data sharing.
  • FIG. 7 is an implementation flowchart of a sixth method embodiment under the networking architecture shown in FIG. 1 according to an embodiment of the present invention. This embodiment includes:
  • S702 The key management center encrypts the original data M according to a key K generated by the key management center, so as to obtain encrypted data C1.
  • the key K is generated and stored by the key management center and the key management center does not send the key K to any terminal, including the first terminal, thereby ensuring that the key of the encrypted data is secure.
  • the key management center uses an encryption algorithm that can decrypt the encrypted data C1 according to the key K, where the encryption algorithm includes but is not limited to an exchangeable encryption algorithm or a symmetric encryption algorithm.
  • the symmetric encryption algorithm has the following property:
  • S703 The key management center uploads the encrypted data C1 to a cloud server for storage.
  • S705 The second terminal receives the encrypted data C1 returned by the cloud server.
  • the second terminal may also acquire the encrypted data C1 by using the following manner:
  • S706 The second terminal sends a request for decrypting data to the key management center, where in this embodiment, the request for decrypting data is a request for decrypting the encrypted data C 1, and the key management center obtains the encrypted data C 1.
  • a manner for the key management center to obtain the encrypted data C1 provided in this embodiment of the present invention may include any one of the following manners:
  • Manner 2 The request for decrypting the encrypted data C1 does not carry the encrypted data C1, and the key management center receives the request for decrypting the encrypted data C1 sent by the second terminal, and sends an instruction for acquiring the encrypted data C1 to the second terminal, so as to instruct the second terminal to send the encrypted data C1 to the key management center.
  • the key management center may also make a request for acquiring the encrypted data C1 to the cloud server, which is not described herein in further detail in this embodiment.
  • step S707 The key management center authenticates the second terminal, and if the authentication succeeds, performs step S708.
  • S708 The key management center decrypts the encrypted data C1 according to the key K generated by the key management center, so as to obtain the original data M.
  • the public key of the second terminal is an unclassified content. Any other entity, including a server, a key management center, and another terminal, may obtain the public key of the second terminal. After any other entity uses the public key Ku of the second terminal to encrypt data, the data can be decrypted only according to a private key of the second terminal.
  • the asymmetric encryption algorithm has the following property:
  • S710 The key management center sends the encrypted data C2 to the second terminal.
  • the second terminal decrypts the encrypted data C2 according to a key owned by the second terminal, so as to obtain the original data M, where in this embodiment, the second terminal uses the asymmetric encryption algorithm to decrypt the encrypted data C2 according to a private key Kr of the second terminal, so as to obtain the original data M; and the second terminal determines an encryption algorithm and a corresponding key that are used when the key management center obtains the encrypted data C2, and decrypts the encrypted data C2 according to the determined encryption algorithm and key, so as to obtain the original data M.
  • a manner for the second terminal to determine the encryption algorithm and the corresponding key that are used when the key management center obtains the encrypted data C2 provided in this embodiment of the present invention may include but is not limited to any one of the following manners:
  • Manner 2 When sending the encrypted data C2 to the second terminal, the key management center carries an instruction of the encryption algorithm used for obtaining the encrypted data C2, and the second terminal determines, according to the instruction of the encryption algorithm, the encryption algorithm and the corresponding key that are used for obtaining the encrypted data C2.
  • the second terminal determines that the key management center uses the asymmetric encryption algorithm A to obtain the encrypted data C2 according to the public key Ku of the second terminal, and uses the asymmetric encryption algorithm A to decrypt the encrypted data C2 according to the private key Kr of the second terminal, so as to obtain the original data M.
  • the manner for the key management center to obtain the encrypted data C1 may further include:
  • a key management center encrypts original data M and stores, in the key management center, a key for encrypting the original data M; and when receiving a request for decrypting data or a request for downloading data sent by a second terminal, the key management center does not directly provide an encryption key of encrypted data C1 stored in a cloud server for the second terminal but sends encrypted data C2 that is obtained by processing the encrypted data C1 to the second terminal.
  • the method may not only ensure that the second terminal can obtain the original data M finally according to a key owned by the second terminal, but also ensure that a key of the encrypted data C1 stored in the cloud server may not be leaked during a process where the second terminal acquires cloud data, thereby reducing a risk of key leakage and enhancing security of data sharing.
  • the key management center encrypts the original data M according to a public key of the second terminal, so that a process where the key management center transmits data to the second terminal is secure.
  • FIG. 8 is an implementation flowchart of a seventh method embodiment under the networking architecture shown in FIG. 1 according to an embodiment of the present invention. This embodiment includes:
  • the key management center encrypts the original data M according to a key K generated by the key management center, so as to obtain encrypted data C1 It should be noted that the key K is generated and stored by the key management center and the key management center does not send the key K to any terminal, including the first terminal, thereby ensuring that the key of the encrypted data is secure.
  • the key management center uses an encryption algorithm that can decrypt the encrypted data C1 according to the key K, where the encryption algorithm includes but is not limited to an exchangeable encryption algorithm or a symmetric encryption algorithm.
  • S803 The key management center uploads the encrypted data C1 to a cloud server for storage.
  • S805 The second terminal receives the encrypted data C1 returned by the cloud server.
  • the second terminal may also acquire the encrypted data C1 by using the following manner:
  • S806 The second terminal sends a request for decrypting data to the key management center, where in this embodiment, the request for decrypting data is a request for decrypting the encrypted data C1, and the key management center obtains the encrypted data C1.
  • a manner for the key management center to obtain the encrypted data C1 provided in this embodiment of the present invention may include any one of the following manners:
  • Manner 2 The request for decrypting the encrypted data C1 does not carry the encrypted data C1, and the key management center receives the request for decrypting the encrypted data C1 sent by the second terminal, and sends an instruction for acquiring the encrypted data C1 to the second terminal, so as to instruct the second terminal to send the encrypted data C1 to the key management center.
  • the key management center may also make a request for acquiring the encrypted data C1 to the cloud server, which is not described herein in further detail in this embodiment.
  • step S807 The key management center authenticates the second terminal, and if the authentication succeeds, performs step S808.
  • the key management center negotiates with the second terminal through a key exchange algorithm, so as to obtain a key Ki.
  • the key management center decrypts the encrypted data C1 according to the key K generated by the key management center, so as to obtain the original data M.
  • step S809 may also be performed before step S808.
  • S810 The key management center encrypts the original data M according to the key Ki that is obtained through negotiation, so as to obtain encrypted data C2.
  • the key management center uses an encryption algorithm that can decrypt the encrypted data C2 according to the key Ki, where the encryption algorithm includes but is not limited to a symmetric encryption algorithm S or an exchangeable encryption algorithm E.
  • S811 The key management center sends the encrypted data C2 to the second terminal.
  • the second terminal decrypts the encrypted data C2 according to a key owned by the second terminal, so as to obtain the original data M; and the second terminal determines an encryption algorithm and a corresponding key that are used when the key management center obtains the encrypted data C2, and decrypts the encrypted data C2 according to the determined encryption algorithm and key, so as to obtain the original data M.
  • a manner for the second terminal to determine the encryption algorithm and the corresponding key that are used when the key management center obtains the encrypted data C2 provided in this embodiment of the present invention may include but is not limited to any one of the following manners:
  • Manner 2 When sending the encrypted data C2 to the second terminal, the key management center carries an instruction of the encryption algorithm used for obtaining the encrypted data C2, and the second terminal determines, according to the instruction of the encryption algorithm, the encryption algorithm and the corresponding key that are used for obtaining the encrypted data C2.
  • a manner for the second terminal to decrypt the encrypted data C2 to obtain the original data M may include but is not limited to any one of the following manners:
  • the manner for the key management center to obtain the encrypted data C1 may further include:
  • a key management center encrypts original data M and stores, in the key management center, a key for encrypting the original data M; and when receiving a request for decrypting data or a request for downloading data sent by a second terminal, the key management center does not directly provide an encryption key of encrypted data C1 stored in a cloud server for the second terminal but sends encrypted data C2 that is obtained by processing the encrypted data C1 to the second terminal.
  • the method may not only ensure that the second terminal can obtain the original data M finally according to a key owned by the second terminal, but also ensure that a key of the encrypted data C1 stored in the cloud server may not be leaked during a process where the second terminal acquires cloud data, thereby reducing a risk of key leakage and enhancing security of data sharing.
  • the key management center encrypts the original data according to a key Ki that is obtained through key exchange algorithm negotiation between the key management center and the second terminal and an encryption algorithm that is notified by the key management center to the second terminal during a negotiation process, so that a process where the key management center transmits data to the second terminal is secure.
  • FIG. 9 shows a key management center according to an embodiment of the present invention.
  • the key management center includes:
  • the sending unit 903 is further configured to send the encrypted data C2 obtained by the obtaining unit 904 to the second terminal, so that the second terminal decrypts the encrypted data C2 according to a key owned by the second terminal, so as to obtain the original data M.
  • the obtaining unit 904 includes:
  • an encrypting unit encrypts original data M received by a receiving unit and uploads encrypted data C1 that is obtained after encryption to a cloud server for storage through a sending unit; and when a second terminal needs to acquire the original data M, the sending unit does not directly send an encryption key of the encrypted data C1 stored in the cloud server to the second terminal but sends encrypted data C2 that is obtained by an obtaining unit by processing the encrypted data C1.
  • the method may not only ensure that the second terminal can decrypt the encrypted data C2 according to a key owned by the second terminal, so as to obtain the original data M, but also ensure that a key of the encrypted data C1 stored in the cloud server may not be leaked during a process where the second terminal acquires encrypted data, thereby reducing a risk of key leakage and enhancing security of data sharing.
  • the obtaining unit of the key management center obtains the encrypted data C2 by firstly encrypting the received encrypted data C1 to obtain first intermediate encrypted data C1' and then decrypting the first intermediate encrypted data C1'; or obtains the encrypted data C2 by decrypting second intermediate encrypted data C1" sent by the second terminal. In this way, data is encrypted during an entire transmission and processing process, thereby enhancing security of data sharing.
  • an embodiment of the present invention provides a terminal, including:
  • the sending unit 1001 is specifically configured to send a request for decrypting the encrypted data C1, a request for downloading the original data M, or a request for downloading the encrypted data C1 to the key management center.
  • the receiving unit 1002 includes:
  • a receiving unit when requesting acquiring of original data M, a receiving unit does not directly receive an encryption key of encrypted data C1 stored in a cloud server but receives encrypted data C2 that is obtained by processing the encrypted data C1.
  • the method may not only ensure that a second terminal can decrypt the encrypted data C2 according to a key owned by the second terminal, so as to obtain the original data M, but also ensure that a key of the encrypted data C1 stored in the cloud server may not be leaked during a process where the second terminal acquires encrypted data, thereby reducing a risk of key leakage and enhancing security of data sharing.
  • an embodiment of the present invention provides a terminal, including:
  • a receiving unit when requesting acquiring of original data M, a receiving unit does not directly receive an encryption key of encrypted data C1 stored in a cloud server but receives encrypted data C2 that is obtained by processing encrypted data C1.
  • the method may not only ensure that a second terminal can decrypt the encrypted data C2 according to a key owned by the second terminal, so as to obtain the original data M, but also ensure that a key of the encrypted data C1 stored in the cloud server may not be leaked during a process where the second terminal acquires encrypted data, thereby reducing a risk of key leakage and enhancing security of data sharing.
  • the second terminal firstly encrypts the encrypted data C1, so that data decrypted by a key management center is still encrypted. In this way, data is encrypted during an entire transmission and processing process, thereby enhancing security of data sharing.
  • FIG. 12 shows a system for protecting cloud data security according to an embodiment of the present invention.
  • the system includes:
  • system may further include:
  • first terminal and the second terminal 1201 may be the same terminal.
  • the second terminal 1201 provided in this embodiment includes:
  • the key management center 1202 provided in this embodiment includes:
  • the sending unit is further configured to send the encrypted data C2 obtained by the obtaining unit to the second terminal 1201.
  • a key management center encrypts original data M and stores, in the key management center, a key for encrypting the original data M; and when receiving a request for decrypting data or a request for downloading data sent by a second terminal, the key management center does not directly provide an encryption key of encrypted data C1 stored in a cloud server for the second terminal but sends encrypted data C2 that is obtained by processing encrypted data C 1.
  • the method may not only ensure that the second terminal can obtain the original data M finally according to a key owned by the second terminal, but also ensure that a key of the encrypted data C1 stored in the cloud server may not be leaked during a process where the second terminal acquires cloud data, thereby reducing a risk of key leakage and enhancing security of data sharing.
  • the key management center may obtain the encrypted data C2 by using a manner of decryption after encryption, a manner of encryption after decryption, or a manner of decrypting encrypted data C1' sent by the second terminal. In this way, a manner for the key management center to obtain the encrypted data C2 is more diverse.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Telephonic Communication Services (AREA)
EP11866813.6A 2011-11-09 2011-11-09 Method, device and system for protecting data security in cloud Active EP2704389B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP16205683.2A EP3229436B1 (en) 2011-11-09 2011-11-09 Retrieving data stored securely in the cloud

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2011/081987 WO2012163043A1 (zh) 2011-11-09 2011-11-09 一种保护云中数据安全的方法、装置及系统

Related Child Applications (2)

Application Number Title Priority Date Filing Date
EP16205683.2A Division EP3229436B1 (en) 2011-11-09 2011-11-09 Retrieving data stored securely in the cloud
EP16205683.2A Division-Into EP3229436B1 (en) 2011-11-09 2011-11-09 Retrieving data stored securely in the cloud

Publications (3)

Publication Number Publication Date
EP2704389A1 EP2704389A1 (en) 2014-03-05
EP2704389A4 EP2704389A4 (en) 2015-01-07
EP2704389B1 true EP2704389B1 (en) 2017-04-05

Family

ID=47258336

Family Applications (2)

Application Number Title Priority Date Filing Date
EP16205683.2A Active EP3229436B1 (en) 2011-11-09 2011-11-09 Retrieving data stored securely in the cloud
EP11866813.6A Active EP2704389B1 (en) 2011-11-09 2011-11-09 Method, device and system for protecting data security in cloud

Family Applications Before (1)

Application Number Title Priority Date Filing Date
EP16205683.2A Active EP3229436B1 (en) 2011-11-09 2011-11-09 Retrieving data stored securely in the cloud

Country Status (4)

Country Link
US (1) US9203614B2 (zh)
EP (2) EP3229436B1 (zh)
CN (1) CN103262491A (zh)
WO (1) WO2012163043A1 (zh)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103312690A (zh) * 2013-04-19 2013-09-18 无锡成电科大科技发展有限公司 一种云计算平台的密钥管理系统及方法
GB2513376A (en) 2013-04-25 2014-10-29 Ibm Distribution of encrypted information in multiple locations
CN104144048B (zh) * 2013-05-10 2018-02-02 华为技术有限公司 一种可信云存储环境下的密钥管理方法、装置和系统
US9413730B1 (en) 2014-06-04 2016-08-09 Skyhigh Networks, Inc. Encryption in the cloud using enterprise managed keys
CN106487773A (zh) * 2015-09-01 2017-03-08 中兴通讯股份有限公司 一种加解密方法及装置
CN108886519B (zh) 2016-03-22 2021-09-14 皇家飞利浦有限公司 数据的云存储
US10505730B2 (en) * 2017-02-06 2019-12-10 Red Hat, Inc. Secure data management
CN107295069B (zh) * 2017-05-27 2020-06-02 Oppo广东移动通信有限公司 数据备份方法、装置、存储介质及服务器
US10972445B2 (en) * 2017-11-01 2021-04-06 Citrix Systems, Inc. Dynamic crypto key management for mobility in a cloud environment
CN108833336A (zh) * 2018-04-18 2018-11-16 北京百度网讯科技有限公司 数据处理方法、装置、计算机设备及存储介质
CN110650121A (zh) * 2019-08-28 2020-01-03 深圳市天道日新科技有限公司 基于分布式系统的流媒体数据保密系统
CN112491921A (zh) * 2020-12-07 2021-03-12 中国电子信息产业集团有限公司第六研究所 一种基于区块链的分布式网关数据保护系统及保护方法
CN112491922B (zh) * 2020-12-07 2023-04-18 中国电子信息产业集团有限公司第六研究所 集中式网关数据保护方法、网关设备、数据服务器及系统

Family Cites Families (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5564106A (en) * 1995-03-09 1996-10-08 Motorola, Inc. Method for providing blind access to an encryption key
US7068787B1 (en) 1998-10-23 2006-06-27 Contentguard Holdings, Inc. System and method for protection of digital works
JP2000181803A (ja) * 1998-12-18 2000-06-30 Fujitsu Ltd 鍵管理機能付電子データ保管装置および電子データ保管方法
US6885748B1 (en) 1999-10-23 2005-04-26 Contentguard Holdings, Inc. System and method for protection of digital works
US7260215B2 (en) * 2001-09-04 2007-08-21 Portauthority Technologies Inc. Method for encryption in an un-trusted environment
US8666065B2 (en) * 2003-02-07 2014-03-04 Britesmart Llc Real-time data encryption
US7502928B2 (en) * 2004-11-12 2009-03-10 Sony Computer Entertainment Inc. Methods and apparatus for secure data processing and transmission
US20090168163A1 (en) 2005-11-01 2009-07-02 Global Bionic Optics Pty Ltd. Optical lens systems
US20090100349A1 (en) * 2007-08-16 2009-04-16 Hancock Jon W Terminal client collaboration and relay systems and methods
WO2009070430A2 (en) * 2007-11-08 2009-06-04 Suridx, Inc. Apparatus and methods for providing scalable, dynamic, individualized credential services using mobile telephones
US8548946B2 (en) 2008-10-14 2013-10-01 Microsoft Corporation Content package for electronic distribution
US8341427B2 (en) * 2009-02-16 2012-12-25 Microsoft Corporation Trusted cloud computing and services framework
JP4802274B2 (ja) * 2009-10-30 2011-10-26 インターナショナル・ビジネス・マシーンズ・コーポレーション メッセージ送信および受信方法
NO331571B1 (no) * 2009-10-30 2012-01-30 Uni I Stavanger System for a beskytte en kryptert informasjonsenhet
US8447970B2 (en) * 2010-02-09 2013-05-21 Microsoft Corporation Securing out-of-band messages
CN102014133B (zh) * 2010-11-26 2013-08-21 清华大学 在云存储环境下一种安全存储系统的实现方法
CN102176709B (zh) * 2010-12-13 2013-11-13 北京交通大学 一种带隐私保护的数据共享与发布的方法和装置

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MICHAEL BRENNER ET AL: "Secret program execution in the cloud applying homomorphic encryption", DIGITAL ECOSYSTEMS AND TECHNOLOGIES CONFERENCE (DEST), 2011 PROCEEDINGS OF THE 5TH IEEE INTERNATIONAL CONFERENCE ON, IEEE, 31 May 2011 (2011-05-31), pages 114 - 119, XP031953732, ISBN: 978-1-4577-0871-8, DOI: 10.1109/DEST.2011.5936608 *

Also Published As

Publication number Publication date
US20140126723A1 (en) 2014-05-08
EP2704389A4 (en) 2015-01-07
CN103262491A (zh) 2013-08-21
EP3229436A1 (en) 2017-10-11
EP3229436B1 (en) 2018-07-25
WO2012163043A1 (zh) 2012-12-06
US9203614B2 (en) 2015-12-01
EP2704389A1 (en) 2014-03-05

Similar Documents

Publication Publication Date Title
EP2704389B1 (en) Method, device and system for protecting data security in cloud
US11677548B2 (en) Secure distribution of device key sets over a network
CN113259329B (zh) 一种数据不经意传输方法、装置、电子设备及存储介质
CN110213044B (zh) 基于多个非对称密钥池的抗量子计算https签密通信方法和系统
US20140208117A1 (en) Server apparatus and program
JP6556955B2 (ja) 通信端末、サーバ装置、プログラム
RU2019117050A (ru) Управление шифрованием данных посредством множества органов управления
Wu et al. Poster: a certificateless proxy re-encryption scheme for cloud-based data sharing
CN104735070A (zh) 一种通用的异构加密云间的数据共享方法
McGrew et al. AES-CCM elliptic curve cryptography (ECC) cipher suites for TLS
JP2008172736A (ja) 暗号文復号権委譲システム
US20150350375A1 (en) Information Processing Method, Trusted Server, and Cloud Server
CN115766066A (zh) 数据传输方法、装置、安全通信系统及存储介质
US9473471B2 (en) Method, apparatus and system for performing proxy transformation
CN108075896B (zh) 使用基于标识的密码学构建自认证消息的系统和方法
CN111181906B (zh) 一种数据共享方法、装置、设备、系统及存储介质
CN108605046B (zh) 一种消息推送方法及终端
KR101793528B1 (ko) 무인증서 공개키 암호 시스템
KR101595056B1 (ko) 인터클라우드 환경에서의 데이터 공유 시스템 및 공유 방법
KR20070062632A (ko) 암호화를 통한 이동통신 메시지 및 파일 보안 제공 방법
CN108462677A (zh) 一种文件加密方法及系统
CN116112152B (zh) 跨企业网络的数据共享安全加密方法和装置
EP3769462B1 (en) Secure distribution of device key sets over a network
EP3699800A1 (en) Method of distributing an object in a document management system, computer program, document management system
Campagna et al. Internet Engineering Task Force (IETF) D. McGrew Request for Comments: 7251 Cisco Systems Category: Informational D. Bailey

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20131125

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

A4 Supplementary search report drawn up and despatched

Effective date: 20141210

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 29/06 20060101AFI20141204BHEP

DAX Request for extension of the european patent (deleted)
17Q First examination report despatched

Effective date: 20151019

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

INTG Intention to grant announced

Effective date: 20161011

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 882760

Country of ref document: AT

Kind code of ref document: T

Effective date: 20170415

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602011036780

Country of ref document: DE

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20170405

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 882760

Country of ref document: AT

Kind code of ref document: T

Effective date: 20170405

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 7

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170705

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170706

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170805

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170705

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602011036780

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

26N No opposition filed

Effective date: 20180108

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20171130

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20171130

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20171109

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20171130

REG Reference to a national code

Ref country code: IE

Ref legal event code: MM4A

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20171109

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 8

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20171109

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20171130

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20111109

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CY

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20170405

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170405

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Ref document number: 602011036780

Country of ref document: DE

Free format text: PREVIOUS MAIN CLASS: H04L0029060000

Ipc: H04L0065000000

REG Reference to a national code

Ref country code: DE

Ref legal event code: R081

Ref document number: 602011036780

Country of ref document: DE

Owner name: HUAWEI CLOUD COMPUTING TECHNOLOGIES CO., LTD.,, CN

Free format text: FORMER OWNER: HUAWEI TECHNOLOGIES CO., LTD., SHENZHEN, GUANGDONG, CN

REG Reference to a national code

Ref country code: GB

Ref legal event code: 732E

Free format text: REGISTERED BETWEEN 20220428 AND 20220504

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230524

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20230929

Year of fee payment: 13

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20231006

Year of fee payment: 13

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20230929

Year of fee payment: 13